The cyber security challenge – and how to address it

From the rise of remote working and cloud computing to the dawning revolution in generative AI, we live in an increasingly digital world. This new world clearly brings enormous social and economic benefits, as new technologies drive innovation and growth. But as our dependence on digital technologies deepens, so too do the associated cyber risks, which are becoming an increasingly challenging and urgent cause for concern.

Indeed, nearly 40 percent of experts surveyed for the World Economic Forum’s Global Risks Report 2024 consider cyberattacks to be a “paramount risk” with the potential to trigger a material crisis soon. As a result, cyberattacks ranked among the top five global threats in the report’s analysis of the current risk landscape.

The disruptive impact and financial costs of cyberattacks are already evident. Last year, ransomware payments reached a record-breaking USD 1.1 billion, with attackers deploying increasingly sophisticated methods to break into computer systems. Looking ahead, the global cost of cybercrime is projected to increase to nearly USD 24 trillion by 2027, up from USD 8.5 trillion in 2022 – without factoring in the huge global costs of non-malicious cyber events such as the recent CrowdStrike outage.

The speed and scale of the growth in cyber threats is outpacing the ability of traditional insurance and risk management strategies to fully mitigate them. The insurance industry, with its long track record of fostering and safeguarding economic prosperity, clearly has a critical role to play. Its products can help by both transferring cyber risk and incentivizing businesses to build cyber resilience. It is therefore no surprise that the cyber insurance market is experiencing powerful growth: the market was estimated at USD 14 billion gross written premium (GWP) last year and is projected to more than double by 2027.

However, despite this steep upward curve, a substantial cyber risk protection gap persists. Indeed, the chasm between insured losses and economic losses due to cyberattacks is estimated to be USD 0.9 trillion. This staggering gap in cyber risk protection demands an urgent response. The scale and ubiquity of cyber risks mean that some are inevitably unquantifiable and considered uninsurable. It is here that the role of the public sector in building cyber resilience is key, so that public-private partnerships can sustain the market and protect the economy as potentially catastrophic cyber incidents arise.

Public sector interventions already help to address the potential impacts of natural disasters, nuclear risk and terrorism. Cyber risk is now considered comparable to these risks and demands a similar public-private approach. The work of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) to share U.S. government data about how best to defend against cyber incidents and the EU’s Digital Operational Resilience Act, which requires businesses to introduce robust processes to manage and mitigate ICT risk, are two examples of how public sector involvement, in partnership with insurers, can build resilient frameworks for managing potentially catastrophic cyber risks.

Alongside cyber risk management and mitigation, a third shared goal of the public sector and insurance industry is to build cyber resilience. How can this be achieved? First, we must work together to raise awareness and foster digital maturity, for example by incentivizing and sharing best practices in cyber hygiene. Second, insurers can help the significant proportion of businesses who are currently uninsured and underinsured. Simplifying elements of the insurance procurement process, providing holistic solutions and supporting public-private partnerships can all help to meet cyber risk challenges. Third, building a common framework for collating and sharing cyber loss and insurance data should help brokers, insurers and government agencies to analyze larger pools of aggregated data and thereby provide more valuable insights and recommendations.

Given the scale of the threat, coordinated action both within organizations and across sectors is needed to build resilience to this fast-evolving risk.